Solved

Spam Problem

Posted on 2010-08-27
15
2,448 Views
Last Modified: 2012-05-10
Hi,
We run Exchange 2007 at our office.  One server is dedicated to Edge Transport, and the other server is Mailbox, Hub Transport and Client Access.  Some of the long time people at our office who have been here for 10 years get LOTS of spam daily.  The president of the company averages about 200 spam per day.

The Edge transport server really should really be taking care of this problem.
Here are some of the settings we use:
Content Filtering
Delete Messages -- Unchecked
Reject Messages -- Checked for SCL 7
Quarantine Messages -- Checked for SCL 6

Sender ID is enabled.

Sender Reputation Properties
Sender Confidence Level -- Checked
Action: 7

I updated to Exchange2007 SP3 last night so Version: 08.03.0083.000 is running on both of our servers.  Everyone is still getting the same amount of spam.

We are even using RBL's
zen.spamhaus.org
dnsbl.sorbs.net
bl.spamcop.net
dnsbl-1.uceprotect.net
...and signed up to use Barracuda's service http://www.barracudacentral.org/rbl

It doesn't seem to make much of a difference at all.

I'm starting to wonder if we have an infected computer somewhere on our LAN that is spamming people.

How do all our settings look?
What do the experts have to say about this?

Thanks,
Jamie
0
Comment
Question by:jamorlando
15 Comments
 
LVL 7

Expert Comment

by:Paul Tozer
ID: 33542882
Can you get the message header from a few of the emails and post them
0
 

Author Comment

by:jamorlando
ID: 33543211
Here's a couple that went straight to inbox after our Exchange upgrade.  I have changed our actual company name to @ourcompany.com to protect the innocent :)

Received: from exchange02.iks.bz (192.168.210.130) by exchange01.iks.bz
 (192.168.210.7) with Microsoft SMTP Server (TLS) id 8.3.83.0; Fri, 27 Aug
 2010 10:43:59 -0400
Received: from xs160.bestcarssite.info (64.202.124.160) by smtp.insertkey.com
 (192.168.210.130) with Microsoft SMTP Server id 8.3.83.0; Fri, 27 Aug 2010
 10:43:53 -0400
Message-ID: <7362058816035093985.4656b797cc6b9d7cc42e9bc3820d4e78.1119882280@xs160.bestcarssite.info>
Subject: NEWS ALERT: Apple iPad auctions for up to 95% off retail!
From: SwipeBids <SwipeBids@bestcarssite.info>
MIME-Version: 1.0
To: <joe@ourcompany.com>
Date: Fri, 27 Aug 2010 10:40:12 -0400
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Return-Path: SwipeBids@bestcarssite.info
X-MS-Exchange-Organization-PRD: bestcarssite.info
Received-SPF: Pass (exchange02.iks.bz: domain of SwipeBids@bestcarssite.info
 designates 64.202.124.160 as permitted sender) receiver=exchange02.iks.bz;
 client-ip=64.202.124.160; helo=xs160.bestcarssite.info;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus Pass;OrigIP:64.202.124.160
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-SenderIdResult: PASS


Received: from exchange02.iks.bz (192.168.210.130) by exchange01.iks.bz
(192.168.210.7) with Microsoft SMTP Server (TLS) id 8.3.83.0; Fri, 27 Aug
2010 00:22:48 -0400
Received: from otenet.gr (87.202.56.2) by smtp.insertkey.com (192.168.210.130)
with Microsoft SMTP Server id 8.3.83.0; Fri, 27 Aug 2010 00:22:48 -0400
From: Sale on sexual boosters <subazino3279@otenet.gr>
To: <tjohnson@ourcompany.com>
Subject: Dear customer tjohnson, here's 70% Sale invitation.. who replacing
Date: Fri, 27 Aug 2010 07:23:03 +0300
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <adfb8897-6bfd-415b-8a0e-73976cdf08fd@exchange02.iks.bz>
Return-Path: subazino3279@otenet.gr
X-MS-Exchange-Organization-PRD: otenet.gr
Received-SPF: None (exchange02.iks.bz: subazino3279@otenet.gr does not
designate permitted sender hosts)
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus None;OrigIP:87.202.56.2
X-MS-Exchange-Organization-SCL: 3
X-MS-Exchange-Organization-SenderIdResult: NONE
0
 
LVL 3

Expert Comment

by:Fr0zT
ID: 33543589
See this document:
http://technet.microsoft.com/en-us/library/bb124696(EXCHG.80).aspx

The edge server requires tuning to aggressively block spam.  I'm not even convinced that by itself it would be a great solution without some other software like Forefront, GFI MailEssentials, Symantec Brightmail etc.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jamorlando
ID: 33544105
Trust me ... I've read about ALL these settings, and it doesn't seem to make a difference.  When I set them too aggressively, people start not receiving important business emails.

I think it's unacceptable that third party software be the solution to this problem.

In any case, I'm still wondering if someone on our network has a virus that's spamming people?  I have no idea how I would even test this unless we shut off every desktop and server here except for the two exchange servers.
0
 

Author Comment

by:jamorlando
ID: 33545442
If you notice in the first message header I posted, the SCL is 0!  How can that be????  The email address is from SwipeBids@bestcarssite.info ... even a 2 year old would know that's spam.

Come on guys, I know there has to be something to fix this.
0
 
LVL 7

Accepted Solution

by:
Philonator earned 333 total points
ID: 33549648
I agree with Fr0zT 100%, the edge blocking doesn't work well.  I have found it just take the worst of the worst out and that's it.  I do not think you have an infected machine on your local site.  Once your email is on a spam list, the spammers sell it to other spammers and it never ever stops.

I know you don't want a third party solution but Microsoft has a great virus/spam filter for under $1/yr/mailbox. Its called Forefront online protection for exchange.  
0
 

Author Comment

by:jamorlando
ID: 33558421
Philonator, I like that there is a free 30 day trial.  I'm going to set this up.  Has anyone used this product?  Success?
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33558680
I have tried it one one client and we are going to recommend it for more.  It is working sweet.  You can schedule a sales demo with them.  The most negative parts is that you need to sign a 3 yr agreement (but don't let that bother you.) and change mx records.  After that it is smooth sailing.

You basically redirect your mail to Microsoft first, they filter it, and then is sent to your exchange server.  There are other options you buy from them like archiving and encryption at the same low price.  Its relatively new, but I can see this product taking some serious market share from barracuda and others.

last two thoughts:  I hated the idea at first, but once it was in place I became a believer and  I swear I am not a sales rep for them!
0
 

Author Comment

by:jamorlando
ID: 33558704
It says $1.75 per user.  We have around 100 outlook users, however only about 10 of them get spam.  Can you only set it up for the 10 users, or would we have to pay for all 100?
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33558756
When you point the mx records all mail will be filtered.  So technically you need to buy it for all users and service accounts.
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33558805
BTW- buy it through a reseller like ingram or tech data and you will get the $1 a mailbox discounted price.
0
 

Author Comment

by:jamorlando
ID: 33558986
Awesome to know about Tech Data... we use them here all the time.
Another question:  Can we ditch our Edge Transport server if we get FOPE implemented?
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33559279
I would like to say yes, but is that all the edge server is doing?  When we implemented it we left everything is place first, and saw that it was doing what it advertised to do.  We then started removing equipment and programs without issue.
0
 

Author Comment

by:jamorlando
ID: 33559298
Ok, I'll feel it out.  I'm going to get the trial, and if I have any more questions, I'll put it in the discussion or open a new thread.  Thank you!
0
 
LVL 7

Expert Comment

by:Philonator
ID: 33559316
Post back to this thread either way what you do.  I think it would be helpful to others.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question